Microsoft Malware Protection Center

Threat Research & Response Blog

August, 2010

  • Tripping Over "Step-Over"

    "Step-over" is a common feature of debuggers. It allows us to avoid stepping into a subroutine, which is especially useful if the subroutine is thousands of lines long, or an operating sytsemsystem API, etc. It also allows the user to (for some debuggers) step out of a loop or skip a repeated string instruction. So what's the downside? That depends on the debugger. The most common attack against step-over involves self-modifying code, where the destination of the breakpoint is replaced by another...
  • Painting by Numbers

    The MMPC came across an interesting piece of social engineering today that embeds a malicious script, which has been observed circulating on 4chan message boards. On further investigation, it became apparent that this is the next stage in the evolution of a threat known as 4chan.js that has been around since 2008. This scenario relies on a user's trust of image file formats and an unfamiliarity of the .HTA format (by the way, HTA stands for HTML Application). The user is sent a .PNG file that looks...
  • Breaking Some Malicious LNKs with MSRT

    The MMPC added the following MS10-046 related threats to the MSRT detection capability in August: Win32/Stuxnet Win32/CplLnk Worm:Win32/Vobfus.gen!A Worm:Win32/Vobfus.gen!B Worm:Win32/Vobfus.gen!C Worm:Win32/Vobfus!dll Worm:Win32/Sality.AU Virus:Win32/Sality.AU TrojanDropper:Win32/Sality.AU Former blog posts have mentioned threats like Stuxnet, Vobfus, and Sality, which have incorporated the use of the CVE-2010-2568 vulnerability fixed by the MS10-046 bulletin...
  • Unruy downloader uses CVE-2010-0094 Java vulnerability

    Unruy is a family of trojan downloaders and unsolicited advertisement "providers" and although you might not have heard about it, it also is an infection vector for a rather prevalent family of rogues: Trojan:Win32/Fakespypro. Recently we discovered a variant of Win32/Unruy, namely TrojanDownloader:Win32/Unruy.D (6120ac9c363c6da7cd7f8bed4edd314f0d3d8f4e), that is actively using the Java vulnerability discussed in CVE-2010-0094 . The vulnerability exploits a flaw in the deserialization of RMIConnectionImpl...
  • One Week Later: Broken LNKs and MSRT August

    This month’s Malicious Software Removal Tool (MSRT) release added new detection and cleaning for several malware threats that incorporate the use of the CVE-2010-2568 vulnerability (which was fixed by the MS10-046 security bulletin released in August). This includes the Win32/Stuxnet family and several variants of Win32/Vobfus and W32/Sality. From a global perspective, the results for these .lnk-related families were interesting. The following chart shows countries with the most saturated...
  • Is it a Monet? Looks different from afar...

    Recently, my MMPC research colleague Michael Johnson blogged about an interesting social engineering technique that results in a malicious JavaScript being run on the unsuspecting recipient's computer when they follow the instructions provided in a .PNG image file. Unsurprisingly, we recently found that malware authors are using this PNG-to-BMP conversion process as a means of obfuscating their malicious code, without any user interaction. Trojan:Win32/Sirefef.M belongs to a family of malware...
  • Alureon Evolves to 64 Bit

    Back in May, we posted an article with an update on Win32/Alureon . As the numbers demonstrate, we have been making a positive impact in terms of protecting customers from this family of attacks. Since releasing the Alureon rootkit detection and removal capabilities in MSRT (the Microsoft Malicious Software Removal Tool), there have been over 1,200,000 successful removals of this family from machines. Variant Removals Virus:Win32/Alureon.H 647...
  • Update not so Tweet for you

    It's very important your computer, software and browser are running with the latest updates, but it's equally important to be discerning about where your updates are coming from. A perfect example of the latest update scam: Recently, we observed malware writers using compromised Twitter accounts to post the fake tweets about the 'latest TweetDeck update' as mentioned on the TweetDeck Support portal . The tweet contains a URL that points to the fake TweetDeck update file called 'tweetdeck-08302010...